DHS Program Challenged

The Department of Homeland Security's information-sharing plan has corporate America and privacy advocates worried.

Businesses may now have a way to turn over private information about critical infrastructure to the Department of Homeland Security with less concern that the information will be made public. But government assurances of confidentiality have done little to reduce worries in corporate America or among privacy advocates, and lawsuits are expected.

The DHS Protected Critical Infrastructure Information Program, announced here last week, aims to expand the private information the government collects, retains and uses in the war on terror. To make companies less uneasy about sharing data, the PCII Program exempts qualified data from the Freedom of Information Act and limits civil liability for disclosure.

The most vocal fears about the program point to an expanding ethos of secrecy in the federal government.

"When people want greater secrecy and they dress it up behind a claim of privacy, they weaken the legitimate right to privacy," said Sean Moulton, senior information policy analyst at OMB Watch, in Washington.

Because much of the countrys critical infrastructure is physical—such as dams and power grids—sharing information about it is unlikely to violate individuals privacy rights, Moulton said. However, in the cyber context, infrastructure information is apt to involve the data that travels over networks, which involves those who send and receive it, he said.

"In cyberspace, it is about whats going over the network and what people are doing on their accounts," Moulton said. "If [ISPs] want to give personal account information [under the program], all they would have to do is somehow connect it to a vulnerability or a threat to the infrastructure."

Concerns about secrecy and privacy stem from what critics see as an overly broad definition of critical infrastructure, which was taken from the USA Patriot Act. Acknowledging expected legal challenges to the program, DHS officials said last week that the program does cast a wide net, particularly in the cyber context.

"Its a broad category," said Robert Liscouski, assistant secretary for infrastructure protection at the DHS. "Were going to enter a period here where the courts are going to help us determine how strong the law is."

Whether private companies will hand over more information about their infrastructure is unclear, but skepticism remains about the security of information in government hands.

"The private sector does a better job of protecting its technology assets than the government. Private, profit-driven businesses have a huge incentive to protect these assets," said Michael Schwedhelm, CIO at United Labor Bank, in Oakland, Calif.